Transmitting Data Via the Client
- a) Hidden Form Fields
b) HTTP Cookies
c) URL Parameters- o Locate all instances within the application where hidden form fields, Cookies and URL parameters are apparently being used to transmit data via the client.
o Attempt to determine or guess the role that the item plays in the application’s logic, based on the context in which it appears and on clues such as the parameter’s name.
o Modify the item’s value in ways that are relevant to its purpose in the application. Ascertain whether the application processes arbitrary values submitted in the parameter, and whether this exposes the application to any vulnerability.
- o Locate all instances within the application where hidden form fields, cookies, and URL parameters are apparently being used to transmit data via the client.
o Attempt to determine or guess the role that the item plays in the application’s logic, based on the context in which it appears and on clues such as the parameter’s name.
o Modify the item’s value in ways that are relevant to its purpose in the application. Ascertain whether the application processes arbitrary values submitted in the parameter, and whether this exposes the application to any vulnerability.
- o If you know the value of the plaintext behind the opaque string, you can attempt to decipher the obfuscation algorithm being employed.
o As described in Chapter 4, the application may contain functions elsewhere that you can leverage to return the opaque string resulting from a piece of plaintext you control. In this situation, you may be able to directly obtain the required string to deliver an arbitrary payload to the function you are targeting.
o Even if the opaque string is impenetrable, it may be possible to replay its value in other contexts to achieve a malicious effect. For example, the pricing token parameter in the previously shown form may contain an encrypted version of the product’s price. Although it is not possible to produce the encrypted equivalent for an arbitrary price of your choosing, you may be able to copy the encrypted price from a different, cheaper product and submit this in its place.
o If all else fails, you can attempt to attack the server-side logic that will decrypt or deobfuscate the opaque string by submitting malformed variations of it — for example, containing overlong values, different character sets, and the like.
- o Locate all instances within the application where hidden form fields, Cookies and URL parameters are apparently being used to transmit data via the client.